How Red October went undetected for 5 years

The beginning of the week brought us a major incident in the world of Internet security, as Kaspersky Lab announced the discovery of a cyber-espionage network that could have ramifications as significant as last year’s notorious Flame virus.

Red October may have been reported for the first time on Monday, and uncovered for the first time in October 2012, but its operatives had been hacking into workstations and stealing highly sensitive data from governments, diplomatic bodies, research centres, oil companies, military organisations and more, since 2007.

“Spying on so many things for more than five years really shows that they knew what they were doing,” said Director of Kaspersky’s Global Research and Analysis, Magnus Kalkuhl, when discussing the work of the Red October attackers with ITProPortal. The perpetrators were meticulous in their harvesting of information and user credentials, using the data for specifically customised (targeted) attacks that were few in number and clinical in execution, and thus extremely hard to trace.

Add this careful human approach to Red October’s vast command-and-control infrastructure, using tiers of countless proxy servers to obscure the data’s final destination, and dissecting the criminal network is an extremely difficult task says Kalkhul. As a point of contrast, the Kaspersky researcher highlighted the conspicuous nature of everyday attacks such as banking Trojans, where “malware gets spread all over the world and so it doesn’t take long until pretty much every antivirus company has a sample in the collection.” But there is no such fortune with the discreet Red October, which has researchers scrambling for intelligence despite it being in the wild for such a long period of time.

What’s more, the attackers have been “using additional tricks” such as re-infecting target systems even after the user has seemingly wiped a computer clean. “What they did is install a plug-in that worked for Adobe Acrobat Reader and Microsoft Office, and it was waiting in the background,” Kalkhul said. “Then you get an email with a PDF file [which] does not contain any malicious code - at least you cannot see it and no antivirus can ever see it - but it has malicious code in an encrypted form.

“And now the plug-in comes in play,” he continued. “So the plug-in has been waiting there all the time for you to open such a PDF, it then decrypts the payload and executes it. In other words, as long as the plug-in stays undetected, all the attackers had to do was to send a new email to the victim with an apparently clean PDF file and the system got infected again.” With such convincingly moulded emails for each victim and the innocuous looking PDF files, the sequence was set into practice time and again, enabling the attackers to pick the same victims’ pockets on a number of occasions over the course of five years.

But for most hackers all good things must come to an end, and in October last year the tide began to turn against the Red October miscreants as security researchers uncovered the long-lasting operation. Despite five years of stealth and care, the hackers began to make relatively basic human errors, such as leaving source code displayed on the attack websites they were maintaining, which gave researchers a valuable insight into the espionage network. “Everyone makes errors sometimes,” Kalkhul says. “It was definitely not a perfect operation.”

Since the breakthrough, attentions have turned to who may be behind the attacks, and why. With so many of the world’s major economies featuring on Kaspersky list of the targeted countries (see map above, click to enlarge), one could say that China was notable by its absence, and with Chinese hackers believed to have created some of the exploits used in Red October, the People’s Republic has been implicated as a perpetrator in some quarters.

But Kuhkel played down the speculation, stating, “The code analysis indicated that the developers are Russian speaking and it could be that they were just using existing Chinese exploits and modifying it for their own purposes… The exploits they were using were not new. They didn’t write them from scratch.”

Indeed, the researcher says there is no evidence the attacks have been sponsored by a nation at all. “If you compare it with Flame for example…in that case we found a lot of indicators that it was a nation-sponsored attack, which also included the use of very interesting exploits. Now in the case of Red October, we simply don’t have these indications.” Kuhkel described Flame and Red October as “completely different platforms,” despite some research hinting that a similar method in the two operations – the use of servers masquerading as news sites – may point to a connection.

The targeted attacks of a campaign like Red October make it near-impossible to stop breaches occurring. Even the strongest security infrastructure is helpless to prevent a human falling into a convincing cyber-trap, putting even the highest level organisations at risk. As a result, Kuhkel fully expects the discovery of more cyber-espionage networks over the course of 2013.

“We will see more of these attacks, not less. When we talked about Flame in May 2012, we said probably this is not the only case of such an attack, probably there are much more out there still undiscovered - and then it took us five months and we found Red October. So again I would say this is not the last one.”